Naked Security reader Simcha Jessel sent us a tip about a new phishing scam targeting customers of Comcast XFINITY cable internet service.

Jessel became aware of the scam after the scammers used his Gmail address to send the scam to their intended victims. It is unclear whether his Gmail was hacked or just forged in the email headers, both are common practices for phishers.

The emails read in part:

"Dear Comcast Customer,
The Constant Guard™ service has updated the Online Security of Comcast Users. To link your account to our new update you just need to re-login your account using the secure link bellow. The link will redirect you to our update login page. Simply login your account and the account will automaticly be updated."

The link pointed at a TinyURL which redirected victims to a compromised higher education institution website in India. Like many other sites that are compromised to host phishing pages, this one appears to have been compromised through vulnerable FrontPage server extensions.

Yes, I said FrontPage. The old Microsoft Office package used for building and publishing web sites. Microsoft discontinued support for FrontPage publishing extensions in 2006 and they have been the source of many web site vulnerabilities over the last 15 years.

The fake page is an identical copy of the real Comcast XFINITY login page, and surprisingly includes a fully functional TRUSTe logo which may lend further credibility to the site.

I've highlighted issues with services like TRUSTe before and even contacted the company for comment on what they are doing to limit fraud and ensure its seal means something. It has been over five months and I have yet to receive a reply from the company.

Always be suspicious of unsolicited emails you receive asking you to login and verify information, especially if they contain links to the site in question. If you believe it may be legitimate, be sure to open a new tab in your browser and visit the site directly to confirm the veracity of the message.

9 Responses to Comcast users phished by Constant Guard spam lure

I have received popup boxes with the same message. It pops up on every page I open for a few days then stops. It has happened a few times, each for a few days. Today I also received the Google message about the DNS Changer. I am trying to change it now so I do not lose internet connectivity on July 9th.

There are also at least two ridiculous spelling errors in the email message, which is a huge clue that it's not legit. On the other hand, if the message, too, is a direct lift from Comcast, someone at Comcast's marketing department needs to learn to spell...

I was rather annoyed to discover that I could not get out to the Internet without first installing Comcast's own software (which forcibly included a tool bar, ugh), so I would not be surprised if people readily fall for this assuming it is legit or even required. Of course, the tinyurl should be an enormous clue, along with the already mentioned spelling errors, but ISPs do themselves no favours by bombarding their own customers with spammy 'extras'. Then they wonder why their customers fall prey to phishing scams.

This happens literally everyday. Maybe not the Truste part, but the phishing sites that mimic the source code is common. In fact Comcast has an alert page dedicated to phishing which is updated constantly. As for the pop up some of you are getting, there is a phone number clearly there to call to remove it. Plus the representatives are trained on the issue. If you're sick if the pop up, call the number and they will take it down and offer more suggestions.

I had my password hijacked last week. Got control of it back finally and the culprit and her cohort that was getting my emails forwarded to have been identified and hopefully punished by MSN. They spoofed a Hotmail Alert and that is how they stole my password. Took over a week to jump through all the many hoops to wrest my account back, but it has been well worth it and lesson learned.

I do not have an account with Comcast,Is any Legal action being taken to protect Me from National-Cyber-Security-Alliance"constant guard"? This must stop collecting Information on computers without consent.

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.